Staying Safe on Second-String Social Media Sites

Below:

Next story in Security

Cybercriminals love attacking social-media websites like Facebook
and Twitter, and it's easy to see why.

"There are three reasons why social-media
sites continue to be a prime target for cybercriminals: the
vast amount of personally identifiable information housed on
these channels, the tendency of users to let their guard down
when using social-media tools and the regularity with which users
visit their favorite sites," said Chris Boyd, senior threat
researcher with the international computer-security firm GFI
Software.

The pool of information to choose from makes it even more
tempting for bad guys, Boyd added, as social-media use spills
over from personal connections to business connections.

With
the exception of Pinterest, which has skyrocketed in its
popularity over the past year, most "second-string" social-media
sites are under the radar for the vast majority of users — and,
you would think, for cybercriminals as well.

The benefit of attacking smaller sites is that — as with any new
target or attack method — users aren't as aware of or as educated
about potential threats, which ultimately enables scammers to
catch victims off guard.

"Because social media is all about being social, and most
interactions occur within a network of confirmed 'friends,' users
often let their guard down when using these sites," Boyd said.
"This is a common tendency whether users are on Facebook,
Twitter, Pinterest, Tumblr or another social media channel.

"The difference is that there is now an abundance of research on
Facebook and Twitter scams, so users are more aware of the
security risks involved and have a greater sense of vigilance
when using these sites. For this reason, we are starting to see
attackers target new social media platforms as well."

Smaller sites, bigger rewards

These lesser-known sites also have very valuable information,
points out Nicholas Arvanitis, principal security consultant in
the New York office of the South African IT provider Dimension
Data.

"Consider Foursquare as an example," Arvanitis said. "As an
attacker, understanding my target's physical movements is very
promising. I can profile their habits, at any given time I can
pinpoint their location, and I can use this information in many
different ways.

People also tend to project different profiles on different
social networks. Someone's profile on LinkedIn might be very
professional, and his or her Quora profile could be similar, but
a completely different side of that person may be shown on
Pinterest, Path or Flickr.

"If I want to truly get to the core of information that I could
use to better understand, profile and target a victim, I want a
better understanding of the entirety of their image, especially
the bits they feel are of a more personal nature," Arvanitis
said.

Stumble in the jungle

For example, Boyd said, Tumblr users stumble through reward
offers for fictional gift cards. Tumblr encourages users to
repost content quickly and easily — an
ideal scenario for scammers who can think up a good ruse.

Many of the most popular Tumblr threats involve fake "official"
Tumblr staff blog entries serving up "free" offers, such as
airline tickets and Starbucks gift cards, to users who complete a
reward offer or survey.

Since users typically don't check the validity of content sources
— likely a result of the "rapid reblog" Tumblr mindset — they are
misled into divulging personally identifiable information that is
often used for malicious gain.

YouTube viewers, on the other hand,
often hit "play" on phony videos. Cybercriminals take
advantage of YouTube's video platform to lure users into
downloading malicious files. The promise of video game cracks,
music videos and sneak-peek movie trailers are popular scams that
pique users' interests.

YouTube scams can end in any number of ways, including installing
malware on users' systems, prompting them to fill out surveys, or
tricking them into entering personally identifiable information
for account validation.

While LinkedIn arguably hosts the most valuable information to
cybercriminals, before this month it was perhaps the least
targeted major social media platform.

Why? Because the site's user base is generally more tech-savvy
and aware of social media threats and attack methods — making it
harder for attackers to penetrate and resulting in lower payoff
when they do.

When LinkedIn is targeted, the schemes often involve fake
invitations and other mail messages that aim to drop malware onto users' machines.

The bottom line, Arvanitis and Boyd agree, is that even while a
given social-media site may not have the high profile of
Facebook, and attacks against it may not be front-page news,
users still need to be aware of the full gamut of risks, and how
attackers target social media.

"Vigilance, education and awareness are the keys to staying safe
when using social media sites," Boyd said. "Consumers should be
extra cautious when using social-networking tools and think twice
before clicking or sharing links or downloading videos or
applications they are unsure about.

"Additionally, understanding what types of attacks are most
common on different social media platforms — and why — can help
users identify and defend against malware lurking on them."